Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d92e6b60ee...ba.exe

windows7-x64

10

d92e6b60ee...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/12/2023, 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d92e6b60eecc9c96a1ad74e2d5c9ccba.exe

  • Size

    2.3MB

  • MD5

    d92e6b60eecc9c96a1ad74e2d5c9ccba

  • SHA1

    d7fcb40fa9a63dfaef531600da64c135d3079bd2

  • SHA256

    8efce4180ae0e0f3c75dd2e13e44288c4352223f4b556c43bbb5cb96f8aec3ee

  • SHA512

    ef9430611ea5b79108481cfa80961c569f0e2df82503afedff382f4f9bb0ed8227687a46b1c4e14af5692d81031b17c0c2bdb19bfac59cc59f3c3b099a332f37

  • SSDEEP

    24576:FD+2lLAnMrJAmvGlBla8SmYU05za8oq9xKG+K/jAnKeL5qTZBHR1k85onek0nn15:FLuMNdGddGxsKrAEZZR1KneNBL2NuW

Score
10/10
zgratpersistencerat

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d92e6b60eecc9c96a1ad74e2d5c9ccba.exe
    "C:\Users\Admin\AppData\Local\Temp\d92e6b60eecc9c96a1ad74e2d5c9ccba.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Rbtqvuqexxqqfvkdqsvr.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Programs\Steam.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3872
    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1328-2289-0x0000000074D40000-0x0000000074D79000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1328-2306-0x00000000750E0000-0x0000000075119000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1328-2303-0x00000000750E0000-0x0000000075119000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1328-2300-0x00000000750E0000-0x0000000075119000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1328-2297-0x00000000750E0000-0x0000000075119000-memory.dmp

    Filesize

    228KB

    Download

  • memory/3872-2273-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3872-2287-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3872-2281-0x0000000007700000-0x000000000770E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3872-2283-0x0000000007810000-0x000000000782A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3872-2284-0x00000000077F0000-0x00000000077F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3872-2282-0x0000000007710000-0x0000000007724000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3872-2260-0x000000007EEE0000-0x000000007EEF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3872-2262-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3872-2279-0x0000000007750000-0x00000000077E6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3872-2280-0x00000000076D0000-0x00000000076E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3872-2272-0x00000000067B0000-0x00000000067CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3872-2244-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3872-2278-0x0000000007540000-0x000000000754A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3872-2276-0x0000000007B10000-0x000000000818A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3872-2277-0x00000000074D0000-0x00000000074EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3872-2274-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3872-2275-0x0000000007390000-0x0000000007433000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3872-2261-0x0000000006770000-0x00000000067A2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3872-2241-0x0000000004B60000-0x0000000004B96000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3872-2242-0x0000000074EB0000-0x0000000075660000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3872-2259-0x0000000006250000-0x000000000629C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3872-2258-0x00000000061A0000-0x00000000061BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3872-2243-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3872-2257-0x0000000005CD0000-0x0000000006024000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3872-2246-0x0000000005990000-0x00000000059B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3872-2252-0x0000000005A40000-0x0000000005AA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3872-2245-0x00000000052B0000-0x00000000058D8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4768-57-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-51-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-25-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-23-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-19-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-17-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-15-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-13-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-9-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-8-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-1117-0x0000000005720000-0x0000000005730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4768-2222-0x0000000006850000-0x00000000068B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4768-2236-0x0000000074EF0000-0x00000000756A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4768-29-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-31-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-33-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-35-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-37-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-39-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-41-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-45-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-47-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-49-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-27-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-53-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-55-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-1-0x00000000008F0000-0x0000000000B4C000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4768-59-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-61-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-63-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-65-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-69-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-71-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-78-0x0000000074EF0000-0x00000000756A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4768-67-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-43-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-21-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-11-0x0000000002DD0000-0x0000000002E42000-memory.dmp

    Filesize

    456KB

    Download

  • memory/4768-7-0x0000000002DD0000-0x0000000002E48000-memory.dmp

    Filesize

    480KB

    Download

  • memory/4768-6-0x0000000006CC0000-0x0000000006E72000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4768-5-0x00000000056E0000-0x00000000056EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4768-4-0x0000000005720000-0x0000000005730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4768-2-0x0000000005A30000-0x0000000005FD4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4768-3-0x0000000005530000-0x00000000055C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4768-0-0x0000000074EF0000-0x00000000756A0000-memory.dmp

    Filesize

    7.7MB

    Download